Involvement of the Board in Future Security Incidents

Topic proposed by Dimitris Glezos (2009-02-03)

Should the board be notified in the instance of future events?

Several noted that Mike McGrath is working on security policy as part of the CSI (Community Services Infrastructure) documentation, and security policy, including incident reporting, is part of that set of docs

pfrields: Mike was unavailable because of prior conflicts but we can invite him to next available call

glezos: response in this matter continues to affect our community image

How do we deal with this next time? What needs to change? Answering these questions clearly is of key importance

notting: As said, 'security policy, including incident reporting, is part of that set of docs' - "how we deal with this" is the goal of the document.

glezos: The way we dealt with the incident affected and affects Fedora's image

This is somewhat of a crisis management issue

discuss with Mike:

servers co-located with RH in PHX -- have policy in place that addresses them

servers outside any RH-owned colo -- have Fedora (& Board) be most accountable

strategy for increasing server location on which Fedora (& Board) can be most accountable

notting: fundamental conflict with budget - we're unlikely to get tens of terabytes of storage in multiple GEOs randomly donated

pfrields: timeline for community expectations

glezos: basis to expand services to other places, i.e. move away from colo's?

mdomsch: PHX and other colo's provide a high degree of service that are hard to get elsewhere

skvidal: Because RHEL is downstream of Fedora, if we have reason to believe there's risk to Fedora, Red Hat is a natural stakeholder

spot: No reason we couldn't give Red Hat a timeline for our announcements

glezos: Can we at least ensure Board has a seat at the table in any decision making?

spot: If we go beyond the borders of Fedora, the situation generally demands NDAs

NEXT ACTIONS:

Invite Mike McGrath on list and at 2009-04-14 meeting, to discuss his thoughts, status of an incident reporting policy, and target completion date for written policy

Once ready, have Mike present the policy to Board for discussion

Contributions from Embargoed Nations

Topic proposed by Paul Frields

Paul and Spot are consulting with Red Hat legal and discussions continue

Long discussion about speculations on what exactly the law requires and how it ties our hands in many ways (all Board members contributed)

Ongoing discussions on what is allowed to be used from upstream servers, and how Fedora cannot police upstream projects

Translations a good example of universal, non-code bits

Overall, Board continues to desire a fair policy for all potential contributors

NEXT ACTIONS:

Spot and Paul to report back with more information as it becomes available.